Adobe Confirms Serious PDF Attack Bypassing Reader Protections

Engineers at Adobe Systems confirmed the presence of two zero-day vulnerabilities in Adobe Reader being used in active attacks targeting individuals with malicious PDF files.

The coding errors impact every version of the software, including Reader X and XI, which were designed to thwart attacks. In a security advisory issued late Wednesday, Adobe said its engineering team was working on a patch.

"Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message," the company said. "These vulnerabilities could cause the application to crash and potentially allow an attacker to take control of the affected system."

Adobe issued a workaround, urging users of Reader X and XI on Windows to enable Protected View, a read-only mode that blocks most actions and application behavior until the user indicates they trust the document. The company also has referred IT administrators to information for enabling Protected View in the enterprise.

The security researchers said the two-pronged attack begins with a phony PDF file. A second file is dropped on the victim's PC, which attempts to communicate with a remote command and control server.

"Before we get confirmation from Adobe and a mitigation plan is available, we suggest that you not open any unknown PDF files," said FireEye researchers Yichong Lin, Thoufique Haq and James Bennett in a blog post about the threat.

Adobe has been busy issuing fixes to its software products. On Tuesday, Adobe issued a security update, repairing 17 critical flaws in Flash Player on Windows. Meanwhile, researchers at U.K.-based security firm Sophos have issued analysis of an attack using an Adobe Flash Player zero-day vulnerability. The firm said the attack used a spearphishing email, targeting the individual with an email message attempting to trick him or her victim into clicking a link. The company called the malware a "work in progress," with incomplete features that indicated the cybercriminals were testing its use.

"The programming shows a lot of clumsiness, but this is counterbalanced by by the fact that it features an in-memory plugin architecture and uses a previously unknown zero-day Flash exploit," wrote Sophos malware researchers Gabor Szappanos and Peter Szabo. "In short, it's an interesting mix of professional work and amateur integration."